Civitas
Toward a Secure Voting System
Michael Clarkson
Cornell University
Stevens Institute of Technology
March 30, 2009
Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C.
Civitas


Electronic voting system; 21,000 LOC
[Clarkson, Chong, and Myers, Oakland 2008]
Clarkson: Civitas
2
Evolution of Voting Technology
Clarkson: Civitas
3
Clarkson: Civitas
4
State of Secure Electronic Voting
Major commercial voting systems are insecure

California reviews [Wagner, Wallach, Blaze, et al.]
Academics are pessimistic

SERVE report [Jefferson et al.]
Clarkson: Civitas
5
Security of Voting
Was your vote captured correctly?
 Was your vote counted correctly?
 Can the tally be independently verified?
 Is your vote anonymous?
 Can anyone sell their vote?
 Can voters be coerced?
…

Clarkson: Civitas
6
Potential Threats






Outsiders
Programmers
Election officials
Candidates and parties
Employers, organizations, spouses, …
Voters
…Voting systems have some of the strongest and hardest
security requirements of any systems
Clarkson: Civitas
7
Civitas Security Model
No trusted supervision of polling places



Including voters, procedures, hardware, software
Voting could take place anywhere
Remote voting
Generalization of “Internet voting” and “postal voting”
No unilateral trust in an election authority


Instead, mutually distrusting set of authorities
Distributed trust
Clarkson: Civitas
8
Adversary




Corrupt all but one of each type of election authority
Perform any polynomial time computation
Control network
Coerce voters, demanding secrets or behavior, remotely
or physically
Security properties:
Confidentiality, integrity, availability
Clarkson: Civitas
9
Integrity
Verifiability:
The final tally is correct and verifiable.
Including:
Voters can check that their own vote is included
 Universal verifiability: Anyone can audit the
election results; no votes added, changed, or deleted
[Sako and Killian 1995]

Clarkson: Civitas
10
Confidentiality
Voter coercion:
Employer, spouse, etc.
 Coercer can demand any behavior (abstain, sell)
 Coercer can observe and interact with voter during
remote voting

 Must prevent coercers from
trusting their own
observations
Clarkson: Civitas
11
Confidentiality
Coercion resistance:
The adversary cannot learn how voters vote, even if
voters collude and interact with the adversary.
> receipt-freeness
= CR - interaction
> anonymity
too weak
= RF - collusion
Clarkson: Civitas
12
Availability
Tally availability:
The final tally of the election is produced.
We assume that this holds
 To guarantee, would need to make system
components highly available, etc.

But it’s really about the votes
Clarkson: Civitas
13
Building Civitas
Started with abstract voting protocol…
[Juels, Catalano, and Jakobsson, WPES 2005]
 Extended design to improve security and
performance
 Implemented in security-typed language (Jif)
 Evaluated security and performance

Clarkson: Civitas
14
Civitas Architecture
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
Clarkson: Civitas
tabulation teller
bulletin
board
tabulation teller
15
Registration
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Voter retrieves credential share from each registration teller;
combines to form credential
Clarkson: Civitas
16
Registration
registration
teller
registration
teller
registration
teller
credential share
voter
client
credential
Clarkson: Civitas
17
Properties of Credentials
Verifiable
Teller must prove that share is good, but proof is convincing
only to voter
 Voter can’t sell share
Anonymous
No subset of shares reveals information about credential
 Credentials can’t be linked to voters
Unforgeable
Creating new credential requires participation of all tellers
 Tellers can’t “stuff the ballot box”
Clarkson: Civitas
18
Registration
registration
registration
teller
registration
teller
teller
JCJ: single trusted registrar
Civitas: distributed trust
 Improved confidentiality
and integrity
tabulation teller
ballot box
ballot box
ballot box
voter
client
Clarkson: Civitas
tabulation teller
bulletin
board
tabulation teller
19
Voting
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Voter submits copy of encrypted choice and credential
(plus proofs) to each ballot box
Clarkson: Civitas
20
Properties of Votes
Anonymous


Credentials are anonymous
Submitted over anonymous channel
Replicated
 Votes
can be deleted only if all ballot boxes collude
Non-malleable
No one can construct “related” votes
 Votes can’t be changed or spoiled
Clarkson: Civitas
21
Resisting Coercion
Voters substitute fake credentials


To adversary, fake  real
Votes with fake credentials removed during tabulation
without revealing which are fake
For any behavior adversary demands…
Voter complies, with fake credential
Voter needs untappable channel to a registration teller
Clarkson: Civitas
22
Voting
registration
registration
teller
registration
teller
teller
JCJ: no ballot boxes
Civitas: distributed storage
 Votes highly available
tabulation teller
ballot box
ballot box
ballot box
voter
client
Clarkson: Civitas
tabulation teller
bulletin
board
tabulation teller
23
Tabulation
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Tellers retrieve votes from ballot boxes
Clarkson: Civitas
24
Tabulation
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Tabulation tellers anonymize votes
with mix network [Chaum 1981]
Clarkson: Civitas
25
Mix Network
tabulation teller
tabulation teller
tabulation teller
Clarkson: Civitas
26
Tabulation
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
tabulation teller
bulletin
board
tabulation teller
Tellers eliminate unauthorized credentials;
decrypt remaining choices;
post proofs
Clarkson: Civitas
27
Properties of Tabulation
Verifiable
Tellers post zero-knowledge proofs during tabulation
Coercion-resistant
No credentials (valid or fake) ever revealed
 Voters can undetectably fake credentials
Clarkson: Civitas
28
Tabulation
registration
registration
teller
registration
teller
teller
JCJ: O(V2)
Civitas: O(B2), B ¿ V
 Improved scalability
tabulation teller
ballot box
ballot box
ballot box
voter
client
Clarkson: Civitas
tabulation teller
bulletin
board
tabulation teller
29
Blocks
Block is a “virtual precinct”


Each voter assigned to one block
Each block tallied independently of other blocks, even in
parallel
Tabulation time is:


Quadratic in block size
Linear in number of voters


If using one set of machines for many blocks
Or, constant in number of voters

If using one set of machines per block
Clarkson: Civitas
30
Civitas Architecture
registration
registration
teller
registration
teller
teller
tabulation teller
ballot box
ballot box
ballot box
voter
client
Clarkson: Civitas
tabulation teller
bulletin
board
tabulation teller
31
Cryptographic Protocols
Leverage the literature:









El Gamal; distributed [Brandt]; non-malleable [Schnorr and Jakobsson]
Proof of knowledge of discrete log [Schnorr]
Proof of equality of discrete logarithms [Chaum & Pederson]
Authentication and key establishment [Needham-Schroeder-Lowe]
Designated-verifier reencryption proof [Hirt & Sako]
1-out-of-L reencryption proof [Hirt & Sako]
Signature of knowledge of discrete logarithms [Camenisch & Stadler]
Reencryption mix network with randomized partial checking [Jakobsson,
Juels & Rivest]
Plaintext equivalence test [Jakobsson & Juels]
Clarkson: Civitas
32
Civitas Security Assurance
Design

JCJ proof of coercion resistance and verifiability
 We

extended proof
Backes et al. (CSF 2008) verification with ProVerif
 Working
to verify Civitas
Implementation
…leverages language-based security
Clarkson: Civitas
33
Secure Implementation
In Jif [Myers 1999, Chong and Myers 2005, 2008]
Security-typed language
 Types contain information-flow policies

 Confidentiality,
integrity, declassification, erasure
If policies in code express correct requirements…
(And Jif compiler is correct…)
 Then code is secure w.r.t. requirements

Clarkson: Civitas
34
Civitas Policy Examples

Confidentiality:




Confidentiality:




Information: Voter’s credential share
Policy: “RT permits only this voter to learn this information”
Jif syntax: RT  Voter
Information: Teller’s private key
Policy: “TT permits no one else to learn this information”
Jif syntax: TT  TT
Integrity:



Information: Random nonces used by tellers
Policy: “TT permits only itself to influence this information”
Jif syntax: TT  TT
Clarkson: Civitas
35
Civitas Policy Examples

Declassification:




Information: Bits that are committed to then revealed
Policy: “TT permits no one to read this information until all
commitments become available, then TT declassifies it to
allow everyone to read.”
Jif syntax: TT  [TT commAvail  ]
Erasure:



Information: Voter’s credential shares
Policy: “Voter requires, after all shares are received and full
credential is constructed, that shares must be erased.”
Jif syntax: Voter  [Voter credConst T ]
Clarkson: Civitas
36
Civitas LOC
Component
Approx. LOC
Tabulation teller
5,700
Registration teller
1,300
Bulletin board, ballot box
900
Voter client
800
Other (incl. common code)
Total Jif LOC
Low-level crypto and I/O
(Java and C)
Total LOC
Clarkson: Civitas
Policy
Distinct
annotations
Confidentiality
20
Integrity
26
4,700
13,400
8,000
21,400
37
Real-World Cost
Tradeoff: cost of election vs. security, usability, …
Current total costs are $1-$3 / voter
[International Foundation for Election Systems]
We don’t know the total cost for Civitas
…Computational cost of advanced cryptography?
Clarkson: Civitas
38
Tabulation Time vs. Anonymity
Clarkson: Civitas
K = # voters, # tab. tellers = 4,
security strength ≥ 112 bits [NIST 2011–2030],
3GHz Xeons
39
Tabulation Time vs. # Voters
sequential
parallel
K = 100
Clarkson: Civitas
40
CPU Cost for Tabulation
CPU time is 39 sec / voter / authority
If CPUs are bought, used (for 5 hours), then thrown
away:
$1500 / machine = $12 / voter
 If CPUs are rented:
$1 / CPU / hr = 4¢ / voter

…for this extra cost, we get increased security
Clarkson: Civitas
41
Ranked Voting Methods
Voters submit ordering of candidates:
Vanilla
4
Chocolate
1
Strawberry
3
Cookie dough
2
Mint chocolate chip
5
Examples: Condorcet, STV/IRV, Borda, …
Clarkson: Civitas
42
Ranked Voting Methods
Low-order rankings create a covert channel

Vanilla
X
Chocolate
X
Strawberry
X
Cookie dough
X
Mint chocolate chip
1
4! completions
Coercion intrinsically possible
Clarkson: Civitas
43
Civitas Voting Methods
Civitas implements coercion-resistant:
Condorcet
 Approval
 Plurality

Intuition: decompose ballot
Clarkson: Civitas
44
Summary
Civitas is a remote voting system
Civitas contributes to:

Protocols (theory of voting):






Distributed trust in registration for confidentiality
Distributed vote storage for availability
Introduced blocks (virtual precincts) for scalability
Articulated and analyzed trust assumptions
Efficient coercion-resistant Condorcet voting
Systems (practice of voting):



Developed full, concrete protocols
Implemented system
Studied performance
Clarkson: Civitas
45
Related Work
Abstract voting schemes:
[Baudron et al.; Benaloh; Benaloh and Tuinstra; Boyd; Chaum; Chaum, Ryan, and Schneider Chen and Burminster; Cohen and Fischer; Cramer, Gennaro, and
Schoenmakers; Fujioka, Okamoto, and Ohta; Hirt and Sako; Iversen; Kiayias and Yung; Magkos et al.; Merrit; Neff; Niemi and Renvall; Sako and Killian; Ohkubo et al.;
Ohta; Okamoto; Park et al.; Rivest]
…

Implemented voting systems:











Adder [Kiayias, Korman, Walluck]
ElectMe [Shubina and Smith]
EVOX [Herschberg, DuRette]
Helios [Adida, Rivest]
Prêt à Voter [Schneider, Heather, et al.; Ryan; Chaum]
Punchscan [Stanton, Essex, Popoveniuc, et al.; Chaum]
REVS [Joaquim, Zúquette, Ferreira; Lebre]
Sensus [Cranor and Cytron]
VoteHere [Neff]
W-Voting [Kutyłowski, Zagórski, et al.]
Civitas: Strongest coercion resistance, first to offer security proofs or
information-flow analysis
Clarkson: Civitas
46
Web Site
http://www.cs.cornell.edu/projects/civitas
Technical report with concrete protocols
 Source code of our prototype

Clarkson: Civitas
47
Civitas
Toward a Secure Voting System
Michael Clarkson
Cornell University
Stevens Institute of Technology
March 30, 2009